Mark failure to copy cred to user home as warning #3395
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tekton-robot
added
release-note
tekton-robot
added
the
size/XS
|
/test check-pr-has-kind-label |
|
/hold This needs some additional documentation added in auth.md to help users searching for more info on the error message. |
tekton-robot
added
the
do-not-merge/hold
ghost
mentioned this pull request
tekton-robot
added
size/M
|
/remove-kind cleanup |
tekton-robot
added
kind/documentation
|
/hold cancel I've added a section to our ever-growing auth.md to try and capture the reasons this warning appears and how to diagnose it. |
tekton-robot
removed
the
do-not-merge/hold
Prior to this commit a message could be seen in step logs when tekton failed to copy a credential from /tekton/creds to /tekton/home or $HOME (if disable-home-override feature flag is "true"). That message can be confusing because it appears to be an error when in actual fact it's a warning. The message appears when Steps inside a Task run with varying UIDs - one UID may copy the credentials first and then subsequent steps will attempt to copy over them. If a Step running as root, for examples, copies creds into /tekton/home, other non-root Steps will not be able to utilize those credentials. The message can also appear if a user has explicltly mounted credentials (via workspace or volumemount) in /tekton/home and has _also_ attached a service account to the task with creds-init credentials on it. The message serves as an indicator of a potential problem but not 100% guarantee that any issues in a Step are related to it. This commit updates the message to include a "warning:" prefix to indicate that it might (though not always) be a potential source of issues in your Step. This commit also adds documented to docs/auth.md to help users diagnose the impact of this message (including when they can safely ignore it).
ghost
added
kind/documentation
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/lgtm |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contributes to #3399
Changes
Prior to this commit a message could be seen in step logs
when tekton failed to copy a credential from /tekton/creds
to /tekton/home or $HOME (if disable-home-override feature
flag is "true"). That message can be confusing because it
appears to be an error when in actual fact it's a warning.
The message appears when Steps inside a Task run with
varying UIDs - one UID may copy the credentials first
and then subsequent steps will attempt to copy over them.
If a Step running as root, for examples, copies creds
into /tekton/home, other non-root Steps will not be able
to utilize those credentials. Unfortunately this can manifest
in our own PipelineResources where the Steps they inject
use a mix of root & non-root base images.
The message can also appear if a user has explicltly
mounted credentials (via workspace or volumemount) in
/tekton/home and has also attached a service account
to the task with creds-init credentials on it.
The message serves as an indicator of a potential problem but
not 100% guarantee that any issues in a Step are related to it.
This commit updates the message to include a "warning:"
prefix to indicate that it might (though not always)
be a potential source of issues in your Step.
This commit also adds documentation to docs/auth.md to help
users diagnose the impact of this message (including when
they can safely ignore it).
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
Release Notes
/kind cleanup